Rob Winch
4 years ago
4 changed files with 108 additions and 0 deletions
Binary file not shown.
|
After Width: | Height: | Size: 103 KiB |
@ -0,0 +1,107 @@
@@ -0,0 +1,107 @@
|
||||
[[persistant]] |
||||
= Persisting Authentication |
||||
:figures: servlet/authentication |
||||
|
||||
The first time a user requests a protected resource, they are xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationentrypoint[prompted for credentials]. |
||||
One of the most common ways to prompt for credentials is to redirect the user to a xref:servlet/authentication/passwords/form.adoc[log in page]. |
||||
A summarized HTTP exchange for an unauthenticated user requesting a protected resource might look like this: |
||||
|
||||
.Unauthenticated User Requests Protected Resource |
||||
==== |
||||
[source,http] |
||||
---- |
||||
GET / HTTP/1.1 |
||||
Host: example.com |
||||
Cookie: SESSION=91470ce0-3f3c-455b-b7ad-079b02290f7b |
||||
---- |
||||
|
||||
[source,http] |
||||
---- |
||||
HTTP/1.1 302 Found |
||||
Location: /login |
||||
---- |
||||
==== |
||||
|
||||
The user submits their username and password. |
||||
|
||||
.Username and Password Submitted |
||||
==== |
||||
[source,http] |
||||
---- |
||||
POST /login HTTP/1.1 |
||||
Host: example.com |
||||
Cookie: SESSION=91470ce0-3f3c-455b-b7ad-079b02290f7b |
||||
|
||||
username=user&password=password&_csrf=35942e65-a172-4cd4-a1d4-d16a51147b3e |
||||
---- |
||||
==== |
||||
|
||||
Upon authenticating the user, the user is associated to a new session id to prevent xref:servlet/authentication/session-management.adoc#ns-session-fixation[session fixation attacks]. |
||||
|
||||
.Authenticated User is Associated to New Session |
||||
==== |
||||
[source,http] |
||||
---- |
||||
HTTP/1.1 302 Found |
||||
Location: / |
||||
Set-Cookie: SESSION=4c66e474-3f5a-43ed-8e48-cc1d8cb1d1c8; Path=/; HttpOnly; SameSite=Lax |
||||
---- |
||||
==== |
||||
|
||||
Subsequent requests include the session cookie which is used to authenticate the user for the remainder of the session. |
||||
|
||||
.Authenticated Session Provided as Credentials |
||||
==== |
||||
[source,http] |
||||
---- |
||||
GET / HTTP/1.1 |
||||
Host: example.com |
||||
Cookie: SESSION=4c66e474-3f5a-43ed-8e48-cc1d8cb1d1c8 |
||||
---- |
||||
==== |
||||
|
||||
|
||||
[[securitycontextrepository]] |
||||
== SecurityContextRepository |
||||
|
||||
// FIXME: api documentation |
||||
In Spring Security the association of the user to future requests is made using {security-api-url}org/springframework/security/web/context/SecurityContextRepository.html[`SecurityContextRepository`]. |
||||
|
||||
[[httpsecuritycontextrepository]] |
||||
=== HttpSecurityContextRepository |
||||
|
||||
The default implementation of `SecurityContextRepository` is {security-api-url}org/springframework/security/web/context/HttpSessionSecurityContextRepository.html[`HttpSessionSecurityContextRepository`] which associates the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontext[`SecurityContext`] to the `HttpSession`. |
||||
Users can replace `HttpSessionSecurityContextRepository` with another implementation of `SecurityContextRepository` if they wish to associate the user with subsequent requests in another way or not at all. |
||||
|
||||
[[nullsecuritycontextrepository]] |
||||
=== NullSecurityContextRepository |
||||
|
||||
If it is not desirable to associate the `SecurityContext` to an `HttpSession` (i.e. when authenticating with OAuth) the {security-api-url}org/springframework/security/web/context/NullSecurityContextRepository.html[`NullSecurityContextRepository`] is an implementation of `SecurityContextRepository` that does nothing. |
||||
|
||||
[[requestattributesecuritycontextrepository]] |
||||
=== RequestAttributeSecurityContextRepository |
||||
|
||||
The {security-api-url}org/springframework/security/web/context/RequestAttributeSecurityContextRepository.html[`RequestAttributeSecurityContextRepository`] saves the `SecurityContext` as a request attribute to make sure the `SecurityContext` is avaible for a single request that occurs across dispatch types that may clear out the `SecurityContext`. |
||||
|
||||
For example, assume that a client makes a request, is authenticated, and then an error occurs. |
||||
Depending on the servlet container implementation, the error means that any `SecurityContext` that was established is cleared out and then the error dispatch is made. |
||||
When the error dispatch is made, there is no `SecurityContext` established. |
||||
This means that the error page cannot use the `SecurityContext` for authorization or displaying the current user unless the `SecurityContext` is persisted somehow. |
||||
|
||||
== SecurityContextPersistenceFilter |
||||
|
||||
The {security-api-url}org/springframework/security/web/context/SecurityContextPersistenceFilter.html[`SecurityContextPersistenceFilter`] is responsible for persisting the `SecurityContext` between requests using the xref::servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`]. |
||||
|
||||
image::{figures}/securitycontextpersistencefilter.png[] |
||||
|
||||
<1> Before running the rest of the application, `SecurityContextPersistenceFilter` loads the `SecurityContext` from the `SecurityContextRepository` and sets it on the `SecurityContextHolder`. |
||||
<2> Next, the application is ran. |
||||
<3> Finally, if the `SecurityContext` has changed, we save the `SecurityContext` using the `SecurityContextPersistenceRepository`. |
||||
This means that when using `SecurityContextPersistenceFilter`, just setting the `SecurityContextHolder` will ensure that the `SecurityContext` is persisted using `SecurityContextRepository`. |
||||
|
||||
In some cases a response is committed and written to the client before the `SecurityContextPersisteneFilter` method completes. |
||||
For example, if a redirect is sent to the client the response is immediately written back to the client. |
||||
This means that establishing an `HttpSession` would not be possible in step 3 because the session id could not be included in the already written response. |
||||
Another situation that can happen is that if a client authenticates successfully, the response is committed before `SecurityContextPersistenceFilter` completes, and the client makes a second request before the `SecurityContextPersistenceFilter` completes the wrong authentication could be present in the second request. |
||||
|
||||
To avoid these problems, the `SecurityContextPersistenceFilter` wraps both the `HttpServletRequest` and the `HttpServletResponse` to detect if the `SecurityContext` has changed and if so save the `SecurityContext` just before the response is committed. |
||||
Loading…
Reference in new issue